/*
 *   This program is is free software; you can redistribute it and/or modify
 *   it under the terms of the GNU General Public License as published by
 *   the Free Software Foundation; either version 2 of the License, or (at
 *   your option) any later version.
 *
 *   This program is distributed in the hope that it will be useful,
 *   but WITHOUT ANY WARRANTY; without even the implied warranty of
 *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *   GNU General Public License for more details.
 *
 *   You should have received a copy of the GNU General Public License
 *   along with this program; if not, write to the Free Software
 *   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
 */

/**
 * $Id$
 * @file lib/ldap/connection.c
 * @brief Asynchronous connection management functions for LDAP.
 *
 * @copyright 2017 Arran Cudbard-Bell (a.cudbardb@freeradius.org)
 */
RCSID("$Id$")

USES_APPLE_DEPRECATED_API

#include <freeradius-devel/ldap/base.h>
#include <freeradius-devel/util/debug.h>

/*
 *	Lookup of libldap result message types to meaningful strings
 */
static char const *ldap_msg_types[UINT8_MAX] = {
	[LDAP_RES_BIND]			= "bind response",
	[LDAP_RES_SEARCH_ENTRY]		= "search entry",
	[LDAP_RES_SEARCH_REFERENCE]	= "search reference",
	[LDAP_RES_SEARCH_RESULT]	= "search result",
	[LDAP_RES_MODIFY]		= "modify response",
	[LDAP_RES_ADD]			= "add response",
	[LDAP_RES_DELETE]		= "delete response",
	[LDAP_RES_MODDN]		= "modify dn response",
	[LDAP_RES_COMPARE]		= "compare response",
	[LDAP_RES_EXTENDED]		= "extended response",
	[LDAP_RES_INTERMEDIATE]		= "intermediate response"
};


/** Allocate and configure a new connection
 *
 * Configures both our ldap handle, and libldap's handle.
 *
 * This can be used by async code and async code as no attempt is made to connect
 * to the LDAP server.  An attempt will only be made if ldap_start_tls* or ldap_bind*
 * functions are called.
 *
 * If called on an #fr_ldap_connection_t which has already been initialised, will
 * clear any memory allocated to the connection, unbind the ldap handle, and reinitialise
 * everything.
 *
 * @param[in] c		to configure.
 * @param[in] config	to apply.
 * @return
 *	- 0 on success.
 *	- -1 on error.
 */
int fr_ldap_connection_configure(fr_ldap_connection_t *c, fr_ldap_config_t const *config)
{
	LDAP	*handle = NULL;
	int	ldap_errno, ldap_version, keepalive, probes, is_server;

	fr_assert(config->server);

	ldap_errno = ldap_initialize(&handle, config->server);
	if (ldap_errno != LDAP_SUCCESS) {
		ERROR("ldap_initialize failed: %s", ldap_err2string(ldap_errno));
	error:
		return -1;
	}

	DEBUG3("New connection %p libldap handle %p", c, handle);

	c->config = config;
	c->handle = handle;

	/*
	 *	We now have a connection structure, but no actual connection.
	 *
	 *	Set a bunch of LDAP options, using common code.
	 */
#define do_ldap_option(_option, _name, _value) \
	if (ldap_set_option(c->handle, _option, _value) != LDAP_OPT_SUCCESS) do { \
		ldap_get_option(c->handle, LDAP_OPT_ERROR_NUMBER, &ldap_errno); \
		ERROR("Failed setting connection option %s: %s", _name, \
		      (ldap_errno != LDAP_SUCCESS) ? ldap_err2string(ldap_errno) : "Unknown error"); \
		goto error;\
	} while (0)

DIAG_OFF(unused-macros)
#define maybe_ldap_option(_option, _name, _value) \
	if (_value) do_ldap_option(_option, _name, _value)
DIAG_ON(unused-macros)

	/*
	 *	Leave "dereference" unset to use the OpenLDAP default.
	 */
	if (config->dereference_str) do_ldap_option(LDAP_OPT_DEREF, "dereference", &(config->dereference));

	/*
	 *	We handle our own referral chasing as there is no way to
	 *	get the fd for a referred query.
	 */
	do_ldap_option(LDAP_OPT_REFERRALS, "chase_referrals", LDAP_OPT_OFF);

	/*
	 *	A value of zero results in an handle configuration failure.
	 *
	 *	When most people specify zero they mean infinite.
	 *
	 *	libldap requires tv_sec to be -1 to mean that.
	 */
	do_ldap_option(LDAP_OPT_NETWORK_TIMEOUT, "net_timeout",
		       (fr_time_delta_ispos(config->net_timeout) ?
				&fr_time_delta_to_timeval(config->net_timeout) :
				&(struct timeval) { .tv_sec = -1, .tv_usec = 0 }));

	do_ldap_option(LDAP_OPT_TIMELIMIT, "srv_timelimit", &fr_time_delta_to_timeval(config->srv_timelimit));

	ldap_version = LDAP_VERSION3;
	do_ldap_option(LDAP_OPT_PROTOCOL_VERSION, "ldap_version", &ldap_version);

	keepalive = fr_time_delta_to_sec(config->keepalive_idle);
	do_ldap_option(LDAP_OPT_X_KEEPALIVE_IDLE, "keepalive_idle", &keepalive);

	probes = config->keepalive_probes;
	do_ldap_option(LDAP_OPT_X_KEEPALIVE_PROBES, "keepalive_probes", &probes);

	keepalive = fr_time_delta_to_sec(config->keepalive_interval);
	do_ldap_option(LDAP_OPT_X_KEEPALIVE_INTERVAL, "keepalive_interval", &keepalive);

	if (config->sasl_secprops) do_ldap_option(LDAP_OPT_X_SASL_SECPROPS, "sasl_secprops", config->sasl_secprops);

	/*
	 *	Everything after this point is TLS related - so don't set if TLS not in use.
	 */
	if (!config->tls_mode && !config->start_tls) return 0;

	/*
	 *	Set all of the TLS options
	 */
	if (config->tls_mode) do_ldap_option(LDAP_OPT_X_TLS, "tls_mode", &(config->tls_mode));

	maybe_ldap_option(LDAP_OPT_X_TLS_CACERTFILE, "ca_file", config->tls_ca_file);
	maybe_ldap_option(LDAP_OPT_X_TLS_CACERTDIR, "ca_path", config->tls_ca_path);

	/*
	 *	Set certificate options
	 */
	maybe_ldap_option(LDAP_OPT_X_TLS_CERTFILE, "certificate_file", config->tls_certificate_file);
	maybe_ldap_option(LDAP_OPT_X_TLS_KEYFILE, "private_key_file", config->tls_private_key_file);

	if (config->tls_require_cert_str) {
		do_ldap_option(LDAP_OPT_X_TLS_REQUIRE_CERT, "require_cert", &config->tls_require_cert);
	}

	if (config->tls_min_version_str) {
		do_ldap_option(LDAP_OPT_X_TLS_PROTOCOL_MIN, "tls_min_version", &config->tls_min_version);
	}

	/*
	 *	Counter intuitively the TLS context appears to need to be initialised
	 *	after all the TLS options are set on the handle.
	 */

	/* Always use the new TLS configuration context */
	is_server = 0;
	do_ldap_option(LDAP_OPT_X_TLS_NEWCTX, "new TLS context", &is_server);

	if (config->start_tls) {
		if (config->port == LDAPS_PORT) {
			WARN("Told to Start TLS on LDAPS port this will probably fail, please correct the "
			     "configuration");
		}
	}

	return 0;
}

/** Free the handle, closing the connection to ldap
 *
 * @param[in] el	UNUSED.
 * @param[in] h		to close.
 * @param[in] uctx	Connection config and handle.
 */
static void _ldap_connection_close(fr_event_list_t *el, void *h, UNUSED void *uctx)
{
	fr_ldap_connection_t *c = talloc_get_type_abort(h, fr_ldap_connection_t);

	/*
	 *	Explicitly remove the file descriptor event
	 *
	 *	Even if the fr_ldap_connection_t has outstanding
	 *	queries, we still don't want its fd in the event loop.
	 */
	if (c->fd >= 0) {
		fr_event_fd_delete(el, c->fd, FR_EVENT_FILTER_IO);
		c->fd = -1;
	}

	talloc_free(h);
}

/** Close and delete a connection
 *
 * Unbinds the LDAP connection, informing the server and freeing any memory, then releases the memory used by the
 * connection handle.
 *
 * @param[in] c		to destroy.
 * @return always indicates success.
 */
static int _ldap_connection_free(fr_ldap_connection_t *c)
{
	/*
	 *	If there are any pending queries, don't free
	 */
	if (((c->queries) && (fr_rb_num_elements(c->queries) > 0)) || (fr_dlist_num_elements(&c->refs) > 0)) return -1;

	talloc_free_children(c);	/* Force inverted free order */

	if (c->handle) {
		LDAPControl	*our_serverctrls[LDAP_MAX_CONTROLS];
		LDAPControl	*our_clientctrls[LDAP_MAX_CONTROLS];

		fr_ldap_control_merge(our_serverctrls, our_clientctrls,
				      NUM_ELEMENTS(our_serverctrls),
				      NUM_ELEMENTS(our_clientctrls),
				      c, NULL, NULL);

		DEBUG3("Closing connection %p libldap handle %p", c->handle, c);
		ldap_unbind_ext(c->handle, our_serverctrls, our_clientctrls);	/* Same code as ldap_unbind_ext_s */
	}

	fr_ldap_control_clear(c);

	return 0;
}

/** Allocate our ldap connection handle layer
 *
 * This is using handles outside of the connection state machine.
 *
 * @param[in] ctx to allocate connection handle in.
 * @return
 *	- A new unbound/unconfigured connection handle on success.
 *	  Call f#r_ldap_connection_configure next.
 *	- NULL on OOM.
 */
fr_ldap_connection_t *fr_ldap_connection_alloc(TALLOC_CTX *ctx)
{
	fr_ldap_connection_t *c;

	/*
	 *	Allocate memory for the handle.
	 */
	c = talloc_zero(ctx, fr_ldap_connection_t);
	if (!c) return NULL;

	talloc_set_destructor(c, _ldap_connection_free);

	/*
	 *	Ensure the fd is invalid to start with, preventing
	 *	attempts to remove fd events if the server is shut down
	 *	before the LDAP connection is established
	 */
	c->fd = -1;

	return c;
}

/** Watcher for LDAP connections being closed
 *
 * If there are any outstanding queries on the connection then
 * re-parent the connection to the NULL ctx so that it remains
 * until all the queries have been dealt with.
 */
static void _ldap_connection_close_watch(connection_t *conn, UNUSED connection_state_t prev,
					 UNUSED connection_state_t state, void *uctx)
{
	fr_ldap_connection_t	*ldap_conn = talloc_get_type_abort(uctx, fr_ldap_connection_t);

	if ((fr_rb_num_elements(ldap_conn->queries) == 0) && (fr_dlist_num_elements(&ldap_conn->refs) == 0)) return;

	talloc_reparent(conn, NULL, ldap_conn);
	ldap_conn->conn = NULL;
}

/** (Re-)Initialises the libldap side of the connection handle
 *
 *  The first ldap state transition is either:
 *
 *     init -> start tls
 *  or
 *     init -> bind
 *
 *  Either way libldap will try an open the connection so when fr_ldap_state_next
 *  returns we should have the file descriptor to pass back.
 *
 *  The complete order of operations is:
 *
 *  - Initialise the libldap handle with fr_ldap_connection_configure (calls ldap_init)
 *  - Initiate the connection with fr_ldap_state_next, which either binds or calls start_tls.
 *  - Either operation calls ldap_send_server_request.
 *    - Which calls ldap_new_connection.
 *    - Which calls ldap_int_open_connection.
 *    - Which calls ldap_connect_to_(host|path) and adds socket buffers, and possibly
 *      calls ldap_int_tls_start (for ldaps://).
 *    - When ldap_new_connection returns, because LDAP_OPT_CONNECT_ASYNC
 *      is set to LDAP_OPT_ON, lc->lconn_status is set to LDAP_CONNST_CONNECTING.
 *    - ldap_send_server_request checks for lconn_stats == LDAP_CONNST_CONNECTING,
 *      and calls ldap_int_poll, which checks the fd for error conditions
 *      and immediately returns due to the network timeout value.
 *    - If the socket is not yet connected:
 *      - As network timeout on the LDAP handle is 0, ld->ld_errno is set to
 *        LDAP_X_CONNECTING. ldap_send_server_request returns -1.
 *      - bind or start_tls errors with LDAP_X_CONNECTING without sending the request.
 *      - We install a write I/O handler, and wait to be called again, then we retry the
 *        operation.
 *    - else
 *      - the bind or start_tls operation succeeds, our ldap state machine advances,
 *        the connection callback is called and our socket state machine transitions to
 *        connected.
 *  - Continue running the state machine
 *
 * @param[out] h	Underlying file descriptor from libldap handle.
 * @param[in] conn	Being initialised.
 * @param[in] uctx	Our LDAP connection handle (a #fr_ldap_connection_t).
 * @return
 *	- CONNECTION_STATE_CONNECTING on success.
 *	- CONNECTION_STATE_FAILED on failure.
 */
CC_NO_UBSAN(function) /* UBSAN: false positive - public vs private connection_t trips --fsanitize=function*/
static connection_state_t _ldap_connection_init(void **h, connection_t *conn, void *uctx)
{
	fr_ldap_config_t const	*config = uctx;
	fr_ldap_connection_t	*c;
	fr_ldap_state_t		state;

	c = fr_ldap_connection_alloc(conn);
	c->conn = conn;
	/*
	 *	Initialise tree for outstanding queries handled by this connection
	 */
	MEM(c->queries = fr_rb_inline_talloc_alloc(c, fr_ldap_query_t, node, fr_ldap_query_cmp, NULL));
	fr_dlist_init(&c->refs, fr_ldap_query_t, entry);

	/*
	 *	Configure/allocate the libldap handle
	 */
	if (fr_ldap_connection_configure(c, config) < 0) {
	error:
		talloc_free(c);
		return CONNECTION_STATE_FAILED;
	}

	/* Don't block */
	if (ldap_set_option(c->handle, LDAP_OPT_CONNECT_ASYNC, LDAP_OPT_ON) != LDAP_OPT_SUCCESS) goto error;
	fr_ldap_connection_timeout_set(c, fr_time_delta_wrap(0));	/* Forces LDAP_X_CONNECTING */

	state = fr_ldap_state_next(c);
	if (state == FR_LDAP_STATE_ERROR) goto error;

	connection_add_watch_pre(conn, CONNECTION_STATE_CLOSED, _ldap_connection_close_watch, true, c);

	*h = c;	/* Set the handle */

	return CONNECTION_STATE_CONNECTING;
}

/** Alloc a self re-establishing connection to an LDAP server
 *
 * @param[in] ctx		to allocate any memory in, and to bind the lifetime of the connection to.
 * @param[in] el		to insert I/O and timer callbacks into.
 * @param[in] config		to use to bind the connection to an LDAP server.
 * @param[in] log_prefix	to prepend to connection state messages.
 */
connection_t	*fr_ldap_connection_state_alloc(TALLOC_CTX *ctx, fr_event_list_t *el,
					        fr_ldap_config_t const *config, char const *log_prefix)
{
	connection_t *conn;

	conn = connection_alloc(ctx, el,
				   &(connection_funcs_t){
				   	.init = _ldap_connection_init,
				   	.close = _ldap_connection_close
				   },
				   &(connection_conf_t){
				   	.connection_timeout = config->net_timeout,
				   	.reconnection_delay = config->reconnection_delay
				   },
				   log_prefix, config);
	if (!conn) {
		PERROR("Failed allocating state handler for new LDAP connection");
		return NULL;
	}

	return conn;
}

int fr_ldap_connection_timeout_set(fr_ldap_connection_t const *c, fr_time_delta_t timeout)
{
	int ldap_errno;

	/*
	 *	A value of zero results in an handle configuration failure.
	 *
	 *	When most people specify zero they mean infinite.
	 *
	 *	libldap requires tv_sec to be -1 to mean that.
	 */
	do_ldap_option(LDAP_OPT_NETWORK_TIMEOUT, "net_timeout",
		       (fr_time_delta_ispos(timeout) ?
		       		&fr_time_delta_to_timeval(timeout) :
		       		&(struct timeval) { .tv_sec = -1, .tv_usec = 0 }));

	return 0;

error:
	return -1;
}

int fr_ldap_connection_timeout_reset(fr_ldap_connection_t const *c)
{
	int ldap_errno;

	/*
	 *	A value of zero results in an handle configuration failure.
	 *
	 *	When most people specify zero they mean infinite.
	 *
	 *	libldap requires tv_sec to be -1 to mean that.
	 */
	do_ldap_option(LDAP_OPT_NETWORK_TIMEOUT, "net_timeout",
		       (fr_time_delta_ispos(c->config->net_timeout) ?
		       		&fr_time_delta_to_timeval(c->config->net_timeout) :
				&(struct timeval) { .tv_sec = -1, .tv_usec = 0 }));

	return 0;

error:
	return -1;
}

/** Callback for closing idle LDAP trunk
 *
 */
static void _ldap_trunk_idle_timeout(fr_timer_list_t *tl, UNUSED fr_time_t now, void *uctx)
{
	fr_ldap_thread_trunk_t	*ttrunk = talloc_get_type_abort(uctx, fr_ldap_thread_trunk_t);

	if (ttrunk->trunk->req_alloc == 0) {
		DEBUG2("Removing idle LDAP trunk to \"%s\"", ttrunk->uri);
		talloc_free(ttrunk->trunk);
		talloc_free(ttrunk);
	} else {
		/*
		 *	There are still pending queries - insert a new event
		 */
		(void) fr_timer_in(ttrunk, tl, &ttrunk->ev, ttrunk->t->config->idle_timeout,
				   false, _ldap_trunk_idle_timeout, ttrunk);
	}
}

/** Callback when an LDAP trunk request is cancelled
 *
 * Ensure the request is removed from the list of outstanding requests
 */
static void ldap_request_cancel(UNUSED connection_t *conn, void *preq, UNUSED trunk_cancel_reason_t reason,
			        UNUSED void *uctx) {
	fr_ldap_query_t	*query = talloc_get_type_abort(preq, fr_ldap_query_t);

	if (query->ldap_conn) {
		fr_rb_remove(query->ldap_conn->queries, query);
		query->ldap_conn = NULL;
	}
}

/** Callback to cancel LDAP queries
 *
 * Inform the remote LDAP server that we no longer want responses to specific queries.
 *
 * @param[in] el	For timer management.
 * @param[in] tconn	The trunk connection handle
 * @param[in] conn	The specific connection queries will be cancelled on
 * @param[in] uctx	Context provided to trunk_alloc
 */
CC_NO_UBSAN(function) /* UBSAN: false positive - public vs private connection_t trips --fsanitize=function*/
static void ldap_request_cancel_mux(UNUSED fr_event_list_t *el, trunk_connection_t *tconn,
				    connection_t *conn, UNUSED void *uctx)
{
	trunk_request_t	*treq;
	fr_ldap_connection_t	*ldap_conn = talloc_get_type_abort(conn->h, fr_ldap_connection_t);
	fr_ldap_query_t		*query;

	while ((trunk_connection_pop_cancellation(&treq, tconn)) == 0) {
		query = talloc_get_type_abort(treq->preq, fr_ldap_query_t);
		ldap_abandon_ext(ldap_conn->handle, query->msgid, NULL, NULL);

		trunk_request_signal_cancel_complete(treq);
	}
}

/** Callback to tidy up when a trunk request fails
 *
 */
static void ldap_request_fail(request_t *request, void *preq, UNUSED void *rctx,
			      UNUSED trunk_request_state_t state, UNUSED void *uctx)
{
	fr_ldap_query_t		*query = talloc_get_type_abort(preq, fr_ldap_query_t);

	/*
	 *	Failed trunk requests get freed - so remove association in query.
	 */
	query->treq = NULL;
	query->ret = LDAP_RESULT_ERROR;

	/*
	 *	Ensure request is runnable.
	 */
	if (request) unlang_interpret_mark_runnable(request);
}

TRUNK_NOTIFY_FUNC(ldap_trunk_connection_notify, fr_ldap_connection_t)

/** Allocate an LDAP trunk connection
 *
 * @param[in] tconn		Trunk handle.
 * @param[in] el		Event list which will be used for I/O and timer events.
 * @param[in] conn_conf		Configuration of the connection.
 * @param[in] log_prefix	What to prefix log messages with.
 * @param[in] uctx		User context passed to trunk_alloc.
 */
CC_NO_UBSAN(function) /* UBSAN: false positive - public vs private connection_t trips --fsanitize=function*/
static connection_t *ldap_trunk_connection_alloc(trunk_connection_t *tconn, fr_event_list_t *el,
						    UNUSED connection_conf_t const *conn_conf,
						    char const *log_prefix, void *uctx)
{
	fr_ldap_thread_trunk_t	*thread_trunk = talloc_get_type_abort(uctx, fr_ldap_thread_trunk_t);

	return fr_ldap_connection_state_alloc(tconn, el, &thread_trunk->config, log_prefix);
}

#define POPULATE_LDAP_CONTROLS(_dest, _src) do { \
	int i; \
	for (i = 0; (i < LDAP_MAX_CONTROLS) && (_src[i].control); i++) { \
		_dest[i] = _src[i].control; \
	} \
	_dest[i] = NULL; \
} while (0)

/** Take LDAP pending queries from the queue and send them.
 *
 * @param[in] el	Event list for timers.
 * @param[in] tconn	Trunk handle.
 * @param[in] conn	on which to send the queries
 * @param[in] uctx	User context passed to trunk_alloc
 */
CC_NO_UBSAN(function) /* UBSAN: false positive - public vs private connection_t trips --fsanitize=function*/
static void ldap_trunk_request_mux(UNUSED fr_event_list_t *el, trunk_connection_t *tconn,
				   connection_t *conn, UNUSED void *uctx)
{
	fr_ldap_connection_t	*ldap_conn = talloc_get_type_abort(conn->h, fr_ldap_connection_t);
	trunk_request_t	*treq;

	LDAPURLDesc		*referral_url = NULL;

	fr_ldap_query_t		*query = NULL;
	fr_ldap_rcode_t		status;

	while (trunk_connection_pop_request(&treq, tconn) == 0) {
		LDAPControl	*our_serverctrls[LDAP_MAX_CONTROLS + 1];
		LDAPControl	*our_clientctrls[LDAP_MAX_CONTROLS + 1];

		if (!treq) break;

		query = talloc_get_type_abort(treq->preq, fr_ldap_query_t);

		switch (query->type) {
		case LDAP_REQUEST_SEARCH:
			/*
			 *	This query is a LDAP search
			 */
			if (query->referral) referral_url = query->referral->referral_url;

			POPULATE_LDAP_CONTROLS(our_serverctrls, query->serverctrls);
			POPULATE_LDAP_CONTROLS(our_clientctrls, query->clientctrls);

			/*
			 *	If we are chasing a referral, referral_url will be populated and may
			 *	have a base dn or scope to override the original query
			 */
			status = fr_ldap_search_async(&query->msgid, query->treq->request, ldap_conn,
						      (referral_url && referral_url->lud_dn) ?
						      	referral_url->lud_dn : query->dn,
						      (referral_url && referral_url->lud_scope) ?
					      		referral_url->lud_scope : query->search.scope,
					      	      query->search.filter, query->search.attrs,
						      our_serverctrls, our_clientctrls);
			break;

		case LDAP_REQUEST_MODIFY:
			/*
			 *	Send a request to modify an object
			 */
			POPULATE_LDAP_CONTROLS(our_serverctrls, query->serverctrls);
			POPULATE_LDAP_CONTROLS(our_clientctrls, query->clientctrls);

			status = fr_ldap_modify_async(&query->msgid, query->treq->request,
						      ldap_conn, query->dn, query->mods,
						      our_serverctrls, our_clientctrls);
			break;

		case LDAP_REQUEST_DELETE:
			/*
			 *	Send a request to delete an object
			 */
			POPULATE_LDAP_CONTROLS(our_serverctrls, query->serverctrls);
			POPULATE_LDAP_CONTROLS(our_clientctrls, query->clientctrls);

			status = fr_ldap_delete_async(&query->msgid, query->treq->request,
						      ldap_conn, query->dn,
						      our_serverctrls, our_clientctrls);
			break;

		case LDAP_REQUEST_EXTENDED:
			/*
			 *	This query is an LDAP extended operation.
			 */
			status = fr_ldap_extended_async(&query->msgid, query->treq->request, ldap_conn,
							query->extended.reqoid, query->extended.reqdata);
			break;

		default:
			status = LDAP_PROC_ERROR;
			ERROR("Invalid LDAP query for trunk connection");
		error:
			trunk_request_signal_fail(query->treq);
			if (status == LDAP_PROC_BAD_CONN) trunk_connection_signal_reconnect(tconn, CONNECTION_FAILED);
			continue;

		}

		if (status != LDAP_PROC_SUCCESS) goto error;

		/*
		 *	If the query has previously been associated with a different
		 *	connection, remove that reference.  Typically when following references.
		 */
		if (query->ldap_conn) fr_dlist_remove(&query->ldap_conn->refs, query);

		/*
		 *	Record which connection was used for this query
		 *	- results processing often needs access to an LDAP handle
		 */
		query->ldap_conn = ldap_conn;

		/*
		 *	Add the query to the tree of pending queries for this trunk
		 */
		fr_rb_insert(query->ldap_conn->queries, query);

		trunk_request_signal_sent(treq);
	}

}

/** Read LDAP responses
 *
 * Responses from the LDAP server will cause the fd to become readable and trigger this
 * callback.  Most LDAP search responses have multiple messages in their response - we
 * only gather those which are complete before either following a referral or passing
 * the head of the resulting chain of messages back.
 *
 * @param[in] el	To insert timers into.
 * @param[in] tconn	Trunk connection associated with these results.
 * @param[in] conn	Connection handle for these results.
 * @param[in] uctx	Thread specific trunk structure - contains tree of pending queries.
 */
CC_NO_UBSAN(function) /* UBSAN: false positive - public vs private connection_t trips --fsanitize=function*/
static void ldap_trunk_request_demux(fr_event_list_t *el, trunk_connection_t *tconn, connection_t *conn, void *uctx)
{
	fr_ldap_connection_t	*ldap_conn = talloc_get_type_abort(conn->h, fr_ldap_connection_t);
	fr_ldap_thread_trunk_t	*ttrunk = talloc_get_type_abort(uctx, fr_ldap_thread_trunk_t);

	int 			ret = 0, msgtype;
	struct timeval		poll = { 0, 10 };
	LDAPMessage		*result = NULL;
	fr_ldap_rcode_t		rcode;
	fr_ldap_query_t		find = { .msgid = -1 }, *query = NULL;
	request_t		*request;
	bool			really_no_result = false;
	trunk_request_t		*treq;

	/*
	 *  Reset the idle timeout event
	 */
	(void) fr_timer_in(ttrunk, el->tl, &ttrunk->ev,
			   ttrunk->t->config->idle_timeout, false, _ldap_trunk_idle_timeout, ttrunk);

	do {
		/*
		 *	Look for any results for which we have the complete result message
		 *	ldap_result will return a pointer to a chain of messages.
		 *
		 *	The first time ldap_result is called when there's pending network
		 *	data, it may read the data, but not return any results.
		 *
		 *	In order to fix the spurious debugging messages and overhead,
		 *	if this is the first iteration through the loop and ldap_result
		 *	returns no result (0), we call it again.
		 */
		ret = ldap_result(ldap_conn->handle, LDAP_RES_ANY, LDAP_MSG_ALL, &poll, &result);
		switch (ret) {
		case 0:
			if (really_no_result) return;
			really_no_result = true;
			continue;

		case -1:
			rcode = fr_ldap_error_check(NULL, ldap_conn, NULL, NULL);
			if (rcode == LDAP_PROC_BAD_CONN) {
				ERROR("Bad LDAP connection");
				connection_signal_reconnect(tconn->conn, CONNECTION_FAILED);
			}
			return;

		default:
			/*
			 *	We only retry ldap_result the first time through the loop.
			 */
			really_no_result = true;
			break;
		}

		find.msgid = ldap_msgid(result);
		query = fr_rb_find(ldap_conn->queries, &find);

		if (!query) {
			WARN("Ignoring msgid %i - doesn't match any outstanding queries (it may have been cancelled)",
			      find.msgid);
			ldap_msgfree(result);
			continue;
		}

		/*
		 *	Remove the query from the tree of outstanding queries
		 */
		fr_rb_remove(ldap_conn->queries, query);

		/*
		 *	Add the query to the list of queries referencing this connection.
		 *	Prevents the connection from being freed until the query has finished using it.
		 */
		fr_dlist_insert_tail(&ldap_conn->refs, query);

		/*
		 *	This really shouldn't happen - as we only retrieve complete sets of results -
		 *	but as the query data structure will last until its results are fully handled
		 *	better to have this safety check here.
		 */
		if (query->ret != LDAP_RESULT_PENDING) {
			WARN("Received results for msgid %i which has already been handled - ignoring", find.msgid);
			ldap_msgfree(result);
			continue;
		}

		msgtype = ldap_msgtype(result);

		/*
		 *	Request to reference in debug output
		 */
		request = query->treq->request;

		ROPTIONAL(RDEBUG2, DEBUG2, "Got %s response for message %d",
			  ldap_msg_types[msgtype], query->msgid);
		rcode = fr_ldap_error_check(NULL, ldap_conn, result, query->dn);

		switch (rcode) {
		case LDAP_PROC_SUCCESS:
			switch (query->type) {
			case LDAP_REQUEST_SEARCH:
				query->ret = (ldap_count_entries(ldap_conn->handle, result) == 0) ?
						LDAP_RESULT_NO_RESULT : LDAP_RESULT_SUCCESS;
				break;

			default:
				query->ret = LDAP_RESULT_SUCCESS;
				break;
			}
			break;

		case LDAP_PROC_REFERRAL:
			if (!ttrunk->t->config->chase_referrals) {
				ROPTIONAL(REDEBUG, ERROR,
					  "LDAP referral received but 'chase_referrals' is set to 'no'");
				query->ret = LDAP_RESULT_EXCESS_REFERRALS;
				break;
			}

			if (query->referral_depth >= ttrunk->t->config->referral_depth) {
				ROPTIONAL(REDEBUG, ERROR, "Maximum LDAP referral depth (%d) exceeded",
					  ttrunk->t->config->referral_depth);
				query->ret = LDAP_RESULT_EXCESS_REFERRALS;
				break;
			}

			/*
			 *	If we've come here as the result of an existing referral
			 *	clear the previous list of URLs before getting the next list.
			 */
			if (query->referral_urls) ldap_memvfree((void **)query->referral_urls);

			ldap_get_option(ldap_conn->handle, LDAP_OPT_REFERRAL_URLS, &query->referral_urls);
			if (!(query->referral_urls) || (!(query->referral_urls[0]))) {
				ROPTIONAL(REDEBUG, ERROR, "LDAP referral missing referral URL");
				query->ret = LDAP_RESULT_MISSING_REFERRAL;
				break;
			}

			query->referral_depth ++;

			if (fr_ldap_referral_follow(ttrunk->t, request, query) == 0) {
			next_follow:
				ldap_msgfree(result);
				continue;
			}

			ROPTIONAL(REDEBUG, ERROR, "Unable to follow any LDAP referral URLs");
			query->ret = LDAP_RESULT_REFERRAL_FAIL;
			break;

		case LDAP_PROC_BAD_DN:
			ROPTIONAL(RDEBUG2, DEBUG2, "DN %s does not exist", query->dn);
			query->ret = LDAP_RESULT_BAD_DN;
			break;

		default:
			ROPTIONAL(RPERROR, PERROR, "LDAP server returned an error");

			if (query->referral_depth > 0) {
				/*
				 *	We're processing a referral - see if there are any more to try
				 */
				fr_dlist_talloc_free_item(&query->referrals, query->referral);
				query->referral = NULL;

				if ((fr_dlist_num_elements(&query->referrals) > 0) &&
				    (fr_ldap_referral_next(ttrunk->t, request, query) == 0)) goto next_follow;
			}

			query->ret = LDAP_RESULT_REFERRAL_FAIL;
			break;
		}

		/*
		 *	Remove the timeout event
		 */
		FR_TIMER_DELETE(&query->ev);
		query->result = result;

		/*
		 *	If we have a specific parser to handle the result, call it
		 */
		if (query->parser && (rcode == LDAP_PROC_SUCCESS)) query->parser(ldap_conn->handle, query,
										 result, query->treq->rctx);

		/*
		 *	Set the request as runnable
		 */
		if (request) unlang_interpret_mark_runnable(request);

		/*
		 *	If referral following failed, there is no active trunk request.
		 */
		if (!query->treq) continue;

		/*
		 *	If the query is parented off the treq then it will be freed when
		 *	the request is completed.  If it is parented by something else then it will not.
		 */
		treq = query->treq;
		query->treq = NULL;
		trunk_request_signal_complete(treq);
	} while (1);
}

static int _thread_ldap_trunk_free(fr_ldap_thread_trunk_t *ttrunk)
{
	if (ttrunk->t && fr_rb_node_inline_in_tree(&ttrunk->node)) fr_rb_remove(ttrunk->t->trunks, ttrunk);

	return 0;
}

/** Find a thread specific LDAP connection for a specific URI / bind DN
 *
 * If no existing connection exists for that combination then create a new one
 *
 * @param[in] thread		to which the connection belongs
 * @param[in] uri		of the host to find / create a connection to
 * @param[in] bind_dn		to make the connection as
 * @param[in] bind_password	for making connection
 * @param[in] request		currently being processed (only for debug messages)
 * @param[in] config		LDAP config of the module requesting the connection.
 * @return
 *	- an existing or new connection matching the URI and bind DN
 *	- NULL on failure
 */
fr_ldap_thread_trunk_t *fr_thread_ldap_trunk_get(fr_ldap_thread_t *thread, char const *uri,
						 char const *bind_dn, char const *bind_password,
						 request_t *request, fr_ldap_config_t const *config)
{
	fr_ldap_thread_trunk_t	*found, find = {.uri = uri, .bind_dn = bind_dn};

	ROPTIONAL(RDEBUG2, DEBUG2, "Looking for LDAP connection to \"%s\" bound as \"%s\"", uri,
		 bind_dn ? bind_dn : "(anonymous)");
	found = fr_rb_find(thread->trunks, &find);

	if (found) return found;

	/*
	 *	No existing connection matching the requirement - create a new one
	 */
	ROPTIONAL(RDEBUG2, DEBUG2, "No existing connection found - creating new one");
	found = talloc_zero(thread, fr_ldap_thread_trunk_t);
	talloc_set_destructor(found, _thread_ldap_trunk_free);

	/*
	 *	Build config for this connection - start with module settings and
	 *	override server and bind details
	 */
	memcpy(&found->config, config, sizeof(fr_ldap_config_t));
	found->config.server = talloc_strdup(found, uri);
	found->config.admin_identity = talloc_strdup(found, bind_dn);
	found->config.admin_password = talloc_strdup(found, bind_password);

	found->uri = found->config.server;
	found->bind_dn = found->config.admin_identity;

	found->trunk = trunk_alloc(found, thread->el,
				      &(trunk_io_funcs_t){
					      .connection_alloc = ldap_trunk_connection_alloc,
					      .connection_notify = ldap_trunk_connection_notify,
					      .request_mux = ldap_trunk_request_mux,
					      .request_demux = ldap_trunk_request_demux,
					      .request_cancel = ldap_request_cancel,
					      .request_cancel_mux = ldap_request_cancel_mux,
					      .request_fail = ldap_request_fail,
					},
				      thread->trunk_conf,
				      "rlm_ldap", found, false, thread->trigger_args);

	if (!found->trunk) {
	error:
		ROPTIONAL(REDEBUG, ERROR, "Unable to create LDAP connection");
		talloc_free(found);
		return NULL;
	}

	found->t = thread;

	/*
	 *  Insert event to close trunk if it becomes idle
	 */
	if (!fr_cond_assert_msg(fr_timer_in(found, thread->el->tl, &found->ev, thread->config->idle_timeout,
					    false, _ldap_trunk_idle_timeout, found) == 0, "cannot insert trunk idle event")) goto error;

	/*
	 *	Attempt to discover what type directory we are talking to
	 */
	if (fr_ldap_trunk_directory_alloc_async(found, found) < 0) goto error;

	fr_rb_insert(thread->trunks, found);

	return found;
}

/** Lookup the state of a thread specific LDAP connection trunk for a specific URI / bind DN
 *
 * @param[in] thread		to which the connection belongs
 * @param[in] uri		of the host to find / create a connection to
 * @param[in] bind_dn		to make the connection as
 * @return
 *	- State of a trunk matching the URI and bind DN
 *	- TRUNK_STATE_MAX if no matching trunk
 */
trunk_state_t fr_thread_ldap_trunk_state(fr_ldap_thread_t *thread, char const *uri, char const *bind_dn)
{
	fr_ldap_thread_trunk_t	*found, find = {.uri = uri, .bind_dn = bind_dn};

	found = fr_rb_find(thread->trunks, &find);

	return (found) ? found->trunk->state : TRUNK_STATE_MAX;
}

/** Take pending LDAP bind auths from the queue and send them.
 *
 * @param[in] el	Event list for timers.
 * @param[in] tconn	Trunk handle.
 * @param[in] conn	on which to send the queries
 * @param[in] uctx	User context passed to trunk_alloc
 */
CC_NO_UBSAN(function) /* UBSAN: false positive - public vs private connection_t trips --fsanitize=function*/
static void ldap_trunk_bind_auth_mux(UNUSED fr_event_list_t *el, trunk_connection_t *tconn,
				   connection_t *conn, void *uctx)
{
	fr_ldap_connection_t	*ldap_conn = talloc_get_type_abort(conn->h, fr_ldap_connection_t);
	fr_ldap_thread_trunk_t	*ttrunk = talloc_get_type_abort(uctx, fr_ldap_thread_trunk_t);
	fr_ldap_thread_t	*thread = ttrunk->t;
	trunk_request_t	*treq;

	fr_ldap_bind_auth_ctx_t	*bind = NULL;
	int			ret = 0;
	struct berval		cred;
	request_t		*request;

	if (trunk_connection_pop_request(&treq, tconn) != 0) return;

	/* Pacify clang scan */
	if (!treq) return;

	bind = talloc_get_type_abort(treq->preq, fr_ldap_bind_auth_ctx_t);
	request = bind->request;

	switch (bind->type) {
	case LDAP_BIND_SIMPLE:
	{
		fr_ldap_bind_ctx_t	*bind_ctx = bind->bind_ctx;

		RDEBUG2("Starting bind auth operation as %s", bind_ctx->bind_dn);

		if (bind_ctx->password) {
			memcpy(&cred.bv_val, &bind_ctx->password, sizeof(cred.bv_val));
			cred.bv_len = talloc_array_length(bind_ctx->password) - 1;
		} else {
			cred.bv_val = NULL;
			cred.bv_len = 0;
		}

		ret = ldap_sasl_bind(ldap_conn->handle, bind_ctx->bind_dn, LDAP_SASL_SIMPLE,
			     	     &cred, NULL, NULL, &bind->msgid);

		switch (ret) {
		case LDAP_SUCCESS:
			fr_rb_insert(thread->binds, bind);
			RDEBUG3("Bind auth sent as LDAP msgid %d", bind->msgid);
			break;

		default:
			bind->ret = LDAP_PROC_ERROR;
			unlang_interpret_mark_runnable(treq->request);
			RERROR("Failed to send bind auth");
			break;
		}
	}
		break;

#ifdef WITH_SASL
	case LDAP_BIND_SASL:
	{
		fr_ldap_sasl_ctx_t	*sasl_ctx = bind->sasl_ctx;

		RDEBUG2("%s SASL bind auth operation as %s", sasl_ctx->rmech ? "Continuing" : "Starting",
			sasl_ctx->identity);

		ret = fr_ldap_sasl_bind_auth_send(sasl_ctx, &bind->msgid, ldap_conn);

		switch (ret) {
		case LDAP_SASL_BIND_IN_PROGRESS:
			/*
			 *	Add the bind to the list of pending binds.
			 */
			fr_rb_insert(thread->binds, bind);
			RDEBUG3("SASL bind auth sent as LDAP msgid %d", bind->msgid);
			break;

		case LDAP_SUCCESS:
			bind->ret = LDAP_PROC_SUCCESS;
			unlang_interpret_mark_runnable(treq->request);
			break;

		default:
			bind->ret = LDAP_PROC_ERROR;
			unlang_interpret_mark_runnable(treq->request);
			RERROR("Failed to send SASL bind auth");
			break;
		}
	}
#endif
		break;
	}
	/*
	 *	The request is marked as sent, to remove from the pending list.
	 *	This is regardless of whether the sending was successful or not as
	 *	the different states are handled by the resume function which then
	 *	marks the request as complete triggering the tidy up.
	 */
	trunk_request_signal_sent(treq);
}

/** Read LDAP bind auth responses
 *
 * @param[in] el	To insert timers into.
 * @param[in] tconn	Trunk connection associated with these results.
 * @param[in] conn	Connection handle for these results.
 * @param[in] uctx	Thread specific trunk structure - contains tree of pending queries.
 */
CC_NO_UBSAN(function) /* UBSAN: false positive - public vs private connection_t trips --fsanitize=function*/
static void ldap_trunk_bind_auth_demux(UNUSED fr_event_list_t *el, UNUSED trunk_connection_t *tconn,
				       connection_t *conn, void *uctx)
{
	fr_ldap_connection_t	*ldap_conn = talloc_get_type_abort(conn->h, fr_ldap_connection_t);
	fr_ldap_thread_trunk_t	*ttrunk = talloc_get_type_abort(uctx, fr_ldap_thread_trunk_t);
	fr_ldap_thread_t	*thread = ttrunk->t;
	fr_ldap_bind_auth_ctx_t	find = { .msgid = -1 }, *bind = NULL;

	int 			ret = 0;
	LDAPMessage		*result = NULL;
	request_t		*request;
	bool			really_no_result = false;

	do {
		/*
		 *	The first time ldap_result is called when there's pending network
		 *	data, it may read the data, but actually return a timeout.
		 *
		 *	In order to fix the spurious debugging messages and overhead,
		 *	if this is the first iteration through the loop and fr_ldap_result
		 *	returns a timeout, we call it again.
		 */
		ret = fr_ldap_result(&result, NULL, ldap_conn, LDAP_RES_ANY, LDAP_MSG_ALL, NULL, fr_time_delta_wrap(10));
		if (ret == LDAP_PROC_TIMEOUT) {
			if (really_no_result) return;
			really_no_result = true;
			continue;
		}

		if (!result) return;

		really_no_result = true;
		find.msgid = ldap_msgid(result);
		bind = fr_rb_find(thread->binds, &find);

		if (!bind) {
			WARN("Ignoring bind result msgid %i - doesn't match any outstanding binds", find.msgid);
			ldap_msgfree(result);
			result = NULL;
			continue;
		}
	} while (!bind);

	/*
	 *	There will only ever be one bind in flight at a time on a given
	 *	connection - so having got a result, no need to loop.
	 */

	fr_rb_remove(thread->binds, bind);
	request = bind->request;
	bind->ret = ret;

	switch (ret) {
	/*
	 *	Accept or reject will be SUCCESS, NOT_PERMITTED or REJECT
	 */
	case LDAP_PROC_NOT_PERMITTED:
	case LDAP_PROC_REJECT:
	case LDAP_PROC_BAD_DN:
	case LDAP_PROC_NO_RESULT:
		break;

	case LDAP_PROC_SUCCESS:
		if (bind->type == LDAP_BIND_SIMPLE) break;

		/*
		 *	With SASL binds, we will be here after ldap_sasl_interactive_bind
		 *	returned LDAP_SASL_BIND_IN_PROGRESS.  That always requires a further
		 *	call of ldap_sasl_interactive_bind to get the final result.
		 */
		bind->ret = LDAP_PROC_CONTINUE;
		FALL_THROUGH;

	case LDAP_PROC_CONTINUE:
	{
		fr_ldap_sasl_ctx_t	*sasl_ctx = bind->sasl_ctx;
		struct berval		*srv_cred;

		/*
		 *	Free any previous result and track the new one.
		 */
		if (sasl_ctx->result) ldap_msgfree(sasl_ctx->result);
		sasl_ctx->result = result;
		result = NULL;

		ret = ldap_parse_sasl_bind_result(ldap_conn->handle, sasl_ctx->result, &srv_cred, 0);
		if (ret != LDAP_SUCCESS) {
			RERROR("SASL decode failed (bind failed): %s", ldap_err2string(ret));
			break;
		}

		if (srv_cred) {
			RDEBUG3("SASL response  : %pV",
				fr_box_strvalue_len(srv_cred->bv_val, srv_cred->bv_len));
			ber_bvfree(srv_cred);
		}

		if (sasl_ctx->rmech) RDEBUG3("Continuing SASL mech %s...", sasl_ctx->rmech);
	}
		break;

	default:
		break;
	}

	ldap_msgfree(result);
	unlang_interpret_mark_runnable(request);
}

/** Callback to cancel LDAP bind auth
 *
 * Inform the remote LDAP server that we no longer want responses to specific bind.
 *
 * @param[in] el	For timer management.
 * @param[in] tconn	The trunk connection handle
 * @param[in] conn	The specific connection binds will be cancelled on
 * @param[in] uctx	Context provided to trunk_alloc
 */
CC_NO_UBSAN(function) /* UBSAN: false positive - public vs private connection_t trips --fsanitize=function*/
static void ldap_bind_auth_cancel_mux(UNUSED fr_event_list_t *el, trunk_connection_t *tconn,
				    connection_t *conn, UNUSED void *uctx)
{
	trunk_request_t	*treq;
	fr_ldap_connection_t	*ldap_conn = talloc_get_type_abort(conn->h, fr_ldap_connection_t);
	fr_ldap_bind_auth_ctx_t	*bind;

	while ((trunk_connection_pop_cancellation(&treq, tconn)) == 0) {
		bind = talloc_get_type_abort(treq->preq, fr_ldap_bind_auth_ctx_t);
#ifdef WITH_SASL
		if (bind->type == LDAP_BIND_SASL) {
			/*
			 *	With SASL binds, abandoning the bind part way through
			 *	seems to leave the connection in an unpredictable state
			 *	so safer to restart.
			 */
			trunk_connection_signal_reconnect(tconn, CONNECTION_FAILED);
		} else {
#endif
			ldap_abandon_ext(ldap_conn->handle, bind->msgid, NULL, NULL);
#ifdef WITH_SASL
		}
#endif
		trunk_request_signal_cancel_complete(treq);
	}
}

/** Callback to tidy up when a bind auth trunk request fails
 *
 */
static void ldap_trunk_bind_auth_fail(request_t *request, void *preq, UNUSED void *rctx,
				UNUSED trunk_request_state_t state, UNUSED void *uctx)
{
	fr_ldap_bind_auth_ctx_t	*bind = talloc_get_type_abort(preq, fr_ldap_bind_auth_ctx_t);

	/*
	 *	Failed trunk requests get freed - so remove association in bind structure,
	 *	and change talloc parentage so resume function still has something to work with.
	 */
	bind->treq = NULL;
	bind->ret = LDAP_PROC_ERROR;
	talloc_steal(NULL, bind);

	/*
	 *	Ensure request is runnable.
	 */
	if (request) unlang_interpret_mark_runnable(request);
}

/** Find the thread specific trunk to use for LDAP bind auths
 *
 * If there is no current trunk then a new one is created.
 *
 * @param[in] thread	to which the connection belongs
 * @return
 *	- an existing or new trunk.
 *	- NULL on failure
 */
fr_ldap_thread_trunk_t *fr_thread_ldap_bind_trunk_get(fr_ldap_thread_t *thread)
{
	fr_ldap_thread_trunk_t	*ttrunk;

	if (thread->bind_trunk) return (thread->bind_trunk);

	MEM(ttrunk = talloc_zero(thread, fr_ldap_thread_trunk_t));
	memcpy(&ttrunk->config, thread->config, sizeof(fr_ldap_config_t));

	ttrunk->uri = ttrunk->config.server;
	ttrunk->bind_dn = ttrunk->config.admin_identity;

	ttrunk->trunk = trunk_alloc(ttrunk, thread->el,
				       &(trunk_io_funcs_t){
					      .connection_alloc = ldap_trunk_connection_alloc,
					      .connection_notify = ldap_trunk_connection_notify,
					      .request_mux = ldap_trunk_bind_auth_mux,
					      .request_demux = ldap_trunk_bind_auth_demux,
					      .request_cancel_mux = ldap_bind_auth_cancel_mux,
					      .request_fail = ldap_trunk_bind_auth_fail,
					},
				       thread->bind_trunk_conf,
				       "rlm_ldap bind auth", ttrunk, false, thread->bind_trigger_args);

	if (!ttrunk->trunk) {
		ERROR("Unable to create LDAP connection");
		talloc_free(ttrunk);
		return NULL;
	}

	ttrunk->t = thread;
	thread->bind_trunk = ttrunk;

	return ttrunk;
}
